Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding extension-less Office file snippet #679

Merged
merged 7 commits into from
Dec 19, 2023
Merged

Adding extension-less Office file snippet #679

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
cecce6a
Adding extention-less Office file snippet
aidenmitchell Aug 21, 2023
bba1a45
fixing size
aidenmitchell Aug 24, 2023
ddbb359
Update attachment_emotet_heavily_padded_doc_in_zip.yml
aidenmitchell Aug 24, 2023
17f91d5
Merge branch 'main' into office-fix
morriscode Sep 6, 2023
7628945
Merge branch 'main' into office-fix
morriscode Nov 21, 2023
c80d499
Merge branch 'main' into office-fix
morriscode Nov 21, 2023
75ea6ab
Merge branch 'main' into office-fix
morriscode Dec 19, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions detection-rules/attachment_cve_2023_21716_rtf_fonts.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,12 @@ source: |
.file_extension in~ ("rtf", "doc", "docx")
or .file_extension in~ $file_extensions_common_archives
or .file_extension in~ $file_extensions_macros
or (
.file_extension is null
and .file_type == "unknown"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not blocking you, but it sounds like we should add more file type matchers based on the contents? That way we can detect pdf(x), ppt(x), doc(x), etc

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This rule specifically, or the snippet in general? Agreed that we should have more file type matching, but it shouldn't go inside the snippet.

Copy link
Contributor

@rw-access rw-access Aug 22, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

totally, nothing you need to change here yet. Just making an observation that it sounds like we're short on some file type matchers in the backend. If we did have extra matchers, then you'd want to update .file_type here

and .content_type == "application/octet-stream"
and .size < 100000000
)
)
and any(file.explode(.),
any(.scan.strings.strings, strings.ilike(., '*\fonttbl*'))
Expand Down
10 changes: 9 additions & 1 deletion detection-rules/attachment_encrypted_ole_unsolicited.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,15 @@ severity: "medium"
source: |
type.inbound
and any(attachments,
.file_extension in~ $file_extensions_macros
(
.file_extension in~ $file_extensions_macros
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
and .size < 100000000
)
)
and file.oletools(.).indicators.encryption.exists
)
and (
Expand Down
6 changes: 6 additions & 0 deletions detection-rules/attachment_office_file_with_vsto.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,12 @@ source: |
(
.file_extension in~ $file_extensions_macros
or .file_extension in~ $file_extensions_common_archives
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
and .size < 100000000
)
)
and any(file.explode(.),
.file_extension in~ (
Expand Down
6 changes: 6 additions & 0 deletions detection-rules/attachment_office_remote_doc_template.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,12 @@ source: |
// office files
.file_extension in~ $file_extensions_macros
or .file_extension in~ $file_extensions_common_archives
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
and .size < 100000000
)
)
and any(file.explode(.),
.flavors.mime == "text/xml"
Expand Down
10 changes: 9 additions & 1 deletion detection-rules/attachment_potential_sandbox_evasion_in_office_file.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,15 @@ severity: "high"
source: |
type.inbound
and any(attachments,
.file_extension in~ $file_extensions_macros
(
.file_extension in~ $file_extensions_macros
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
and .size < 100000000
)
)
and any(file.explode(.),
1 of (
any(.scan.strings.strings, strings.ilike(., "*Win32_Processor*")),
Expand Down
28 changes: 8 additions & 20 deletions detection-rules/attachment_shellbrowserwindow_com_object_in_macro.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,26 +11,14 @@ severity: "high"
source: |
type.inbound
and any(attachments,
.file_extension in~ (
// MS Word
"doc",
"docm",
"docx",
"dot",
"dotm",
// MS Excel
"xls",
"xlsx",
"xlsm",
"xlm",
"xlsb",
"xlt",
"xltm",
// MS PowerPoint
"ppt",
"pptx",
"pptm",
"ppsm"
(
.file_extension in~ $file_extensions_macros
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
and .size < 100000000
)
)
and any(file.explode(.),
any(.scan.strings.strings,
Expand Down
6 changes: 6 additions & 0 deletions detection-rules/attachment_soliciting_enable_macros.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,12 @@ source: |
(
.file_extension in~ $file_extensions_macros
or .file_extension in~ $file_extensions_common_archives
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
and .size < 100000000
)
)
and any(file.explode(.),
strings.ilike(.scan.ocr.raw, "*please*enable*macros")
Expand Down
10 changes: 9 additions & 1 deletion detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,15 @@ severity: "high"
source: |
type.inbound
and any(attachments,
.file_extension in~ $file_extensions_macros
(
.file_extension in~ $file_extensions_macros
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
and .size < 100000000
)
)
and ml.macro_classifier(.).malicious
and ml.macro_classifier(.).confidence in ("high")
)
Expand Down
10 changes: 9 additions & 1 deletion detection-rules/attachment_vba_macro_auto_exec_unsolicited.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,15 @@ severity: "medium"
source: |
type.inbound
and any(attachments,
.file_extension in~ $file_extensions_macros
(
.file_extension in~ $file_extensions_macros
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
and .size < 100000000
)
)
and any(file.oletools(.).macros.keywords, .type =~ "autoexec")
)
and (
Expand Down
6 changes: 6 additions & 0 deletions detection-rules/attachment_vba_macro_auto_open_unsolicited.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,12 @@ source: |
(
.file_extension in~ $file_extensions_macros
or .file_extension in~ $file_extensions_common_archives
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
and .size < 100000000
)
)
and any(file.explode(.), any(.scan.vba.auto_exec, . == "AutoOpen"))
)
Expand Down
6 changes: 6 additions & 0 deletions detection-rules/attachment_vba_macro_calling_executable.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,12 @@ source: |
(
.file_extension in~ $file_extensions_macros
or .file_extension in~ $file_extensions_common_archives
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
and .size < 100000000
)
)
and any(file.explode(.), any(.scan.vba.hex, strings.ilike(., "*exe*")))
)
Expand Down
6 changes: 6 additions & 0 deletions detection-rules/attachment_vba_macro_employee_impersonation.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,12 @@ source: |
(
.file_extension in~ $file_extensions_macros
or .file_extension in~ $file_extensions_common_archives
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
and .size < 100000000
)
)
and file.oletools(.).indicators.vba_macros.exists
)
Expand Down
10 changes: 9 additions & 1 deletion detection-rules/attachment_vba_macro_high_risk.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,15 @@ severity: "high"
source: |
type.inbound
and any(attachments,
.file_extension in~ $file_extensions_macros
(
.file_extension in~ $file_extensions_macros
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
and .size < 100000000
)
)
and file.oletools(.).indicators.vba_macros.risk == "high"
)
and (
Expand Down
11 changes: 10 additions & 1 deletion detection-rules/cve_2021_40444_external_relationship.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,16 @@ source: |
type.inbound
and any(attachments,
(
(.file_extension in~ $file_extensions_macros or .file_extension =~ "rtf")
(
.file_extension in~ $file_extensions_macros
or .file_extension =~ "rtf"
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
and .size < 100000000
)
)
and any(file.oletools(.).relationships, regex.icontains(.target, ".*html:http.*"))
)
or (
Expand Down
6 changes: 6 additions & 0 deletions detection-rules/impersonation_wise_suspicious_attachment.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,12 @@ source: |
or .file_type in $file_extensions_executables
or .file_type in $file_extensions_macros
or .file_type in ("lz")
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
and .size < 100000000
)
)
and sender.email.domain.root_domain not in~ ('wise.com', 'wise.jobs')
attack_types:
Expand Down
Loading